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DETAILED ACTION 

1. This action is in response to the application filed on 2/25/2002. 

2. Claims 1-22 are under examination. 

Claim Objections 

3. Claim 22 is objected to because of the following informalities: " the system of 
claim 11" should be "the method of claim 11" at line 1. Appropriate correction is 
required. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to 
a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

4. Claims 1-3, 6-8, 13-15, 17-20 and 21 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Houston et al. (US Pub No. 2002/0019945) and in view of 
Blakely-Fogel et al (US Patent No. 4,864,492). 

As per claim 1 . Houston teaches: 
providing a plurality of enterprise device outputs {paragraph 0009 lines2-3 "managing 
a large amount of security event data collected form security devices"], at least a 
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portion of the outputs having different formats, each output containing an event relating 
to an enterprise device; translating each output into a common format event [paragraph 
0050 lines 10-11, page 5 lines 1-3 "the collector 225 is gathering data form variety 
of different security system located throughout the network, the collector 225 
preferably coverts the varied data to a uniform format" Fig. 8 and Fig. 16], 
applying one or more rules from a set of rules to the knowledge-containing common 
format event to generate the alert indication [paragraph 0009 lines 5-6 "applying the 
criteria (i.e. rules) to the collected data to produce a result (i.e. alert)" paragraph 
0009 lines 10-13 "the results form applying the criteria can be rendered in a 
variety of different graphical formats including, but not limited to, tables, graphs, 
charts and tree diagrams" Fig. 15,16,17]. 

Houston doesn't teach that adding knowledge to the common format 
event using knowledge base table files to generate a knowledge-containing common 
format event. 

However, Blakely-Fogel teaches that adding knowledge (i.e. modifying or 
changing) to the common format event using knowledge base table files [Fig. 2] to 
generate a knowledge-containing common format event [Fig. 2 "Knowledge base 
table", Fig. 3 "change current data"]. 

Therefore, it would have been obvious to a person of ordinary skill in the 
art at the time the invention was made to incorporate the teaching of Blakely-Fogel into 
the teaching of Houston to use knowledge base table and to modify the data. The 
modification would be obvious because one of ordinary skill in the art would be 
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motivated to utilize the knowledge base table. It represented in rule based information 
tables. It contains a table of rules of the network architecture known as expert 
information, so user receives the knowledge of an expert to correct the input errors 
[Blakely-Fogel, col. 2 lines 3-6,19-22]. 

As per claim 2 , the rejection of claim 1 is incorporated and further Houston 

teaches: 

the common format event (i.e. an output) contains at least a generic description of a 
specific event occurring as part of each device output [paragraph 0045 lines 13-17 
"client 115 can initialize and render the display for the scope on an output device, 
such as a monitor or printer. The display for the scope can comprise one or more 
tables, charts, graphs, tree diagrams, or other renderings for presenting data to a 
user (i.e. a generic description of a specific event), Fig. 17]. 

As per claim 3 , the rejection of claim 1 is incorporated and further Blakely- 
Fogel teaches: 

comparing the common format event for each network device to a number of knowledge 
base table entries contained in a knowledge base table [Fig. 3, component 34], 
wherein knowledge is added from one or more of the knowledge base table entries 
when a match (i.e. accept) between the translated common format event and the entry 
in the knowledge base table is made [Fig. 3 component 34, 36, Fig. 2], 
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Therefore, it would have been obvious to a person of ordinary skill in the 
art at the time the invention was made to incorporate the teaching of Blakely-Fogel into 
the teaching of Houston to use knowledge base table and to modify the data. The 
modification would be obvious because one of ordinary skill in the art would be 
motivated to utilize the knowledge base table. It represented in rule based information 
tables. It contains a table of rules of the network architecture known as expert 
information, so user receives the knowledge of an expert to correct the input errors 
[Blakely-Fogel, col. 2 lines 3-6,19-22]. 

As per claim 6 , the rejection of claim 1 is incorporated and further Houston 

teaches: 

the knowledge-containing common format event comprises one or more names 
selected from the group of a device alert, a generic alert, a threat severity, a benign 
explanation, a recommended action, a common vulnerabilities and exposure code, a 
conclusion, and a category code, and a corresponding value for each name (i.e. event 
types) [Fig. 16 "Event Type"]. 

As per claim 7 , the rejection of claim 1 is incorporated and further Houston 

teaches: 

one or more rules determine when or whether the knowledge-containing common 
format event is generated, and final rule-based additions content of such generated 
events [paragraph 0045 lines 6-11 "the configuration criteria (i.e. rules) for the 
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scopes can be stored on the analyzer storage module 230 of database server 
145. Typical configuration criteria include sorting security event data by 
destination address or event type. In step 410 the persistence module 245 
retrieves the configuration criteria for the desired scope from the database server 
145" Fig. 16,17,18]. 

As per claim 8 , the rejection of claim 7 is incorporated and further Houston 

teaches: 

the rule requires that the each output occur a number of times over a period of time 
before an alert indication is generated [paragraph 0051 lines 3-9 "the analysis of 
data may be initiated by a scheduled trigger within the event manager as instep 
905 or in response to an external request from a user as in step 910. An analysis 
of data typically occurs over a defined time period. In step 915, client 115 inputs a 
particular start time or the scheduled start time is sent to the analyzer module 
265" Fig. 9]. 

As per claim 13 , the rejection of claim 1 is incorporated and further 
Houston teaches: 

the alert indication includes at least a text message describing the event contained in 
the output of the enterprise device [paragraph 0045 lines 12-17 "in step 420, client 
115 can initialize and render the display for the scope on an output device, such 
as a monitor or printer. The display for the scope can comprise one or more 
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tables, charts, graphs, tree diagrams, or other renderings for presenting data to a 
user (i.e. a generic description of a specific event)", Fig. 15,17]. 

As per claim 14 , the rejection of claim 13 is incorporated and further 
Houston teaches: 

a threat level is included as part of the alert indication [paragraph 0058 lines 11-14 
"the table 1515 typically indicates when a security event took place, the source 
and destination addresses of the security event, the event type and priority, and 
the system that detected the security event" Fig. 15]. 

As per claim 15 , it is a system claim corresponds to method claim 1 and is 
rejected for the same reason set forth in the rejection of claim 1 above. Further Houston 
teaches a number of various files (i.e. program/software modules) [paragraph 0008 
lines 7-9]. 

As per claim 17 . the rejection of claim 15 is incorporated and further claim 
17 is a system claim corresponds to a method claim 6 and is rejected for the same 
reason set forth in the rejection of claim 6 above. 
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As per claim 18 , the rejection of claim 15 is incorporated and further 
Houston teaches: 

the common format event comprises a message, and a number of name and value 
pairs derived from the output of the enterprise device [Fig. 16]. 

As per claim 19 , the rejection of claim 17 is incorporated and further 
Houston teaches: 

the rule files govern at least the frequency of the generation of the alert indication 
[paragraph 0009 lines 5-6 "applying the criteria (i.e. rules) to the colleted data to 
produce a result (i.e. alert)", paragraph 0051 lines 6-9 "an analysis of data 
typically occurs over a defined time period. In step 915, client 115 inputs a 
particular start time or the scheduled start time is sent to the analyzer module 
265"]. 

As per claim 20 , the rejection of claim 19 is incorporated and is rejected 
for the same reason set forth in the rejection of claim 18 above. 

As per claim 21 . the rejection of claim 7 is incorporated and further 
Blakely-Fogel teaches: 

the rule adds information (i.e. modifying or changing data) to the knowledge-containing 
common format event (i.e. data) [Fig. 2 knowledge base tables 20, rules 21 and Fig. 
3 component 34 and 36 (change current data)]. 
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5. Claims 4, 9 and 16 are rejected under 35 USC 103 (a) for being unpatentable 
over Houston et al in view of Blakely-Fogel et al, and further in view of Lim (US Pub No. 
2004/0250133). 

As per claim 4 , the rejection of claim 1 is incorporated and Houston and 
Blakely-Fogel don't clearly teach that the enterprise devices are selected from the group 
consisting of a server, a firewall, a modem, a work station, a router, a remote machine, 
an intrusion detection system, an identification and authentication server, network 
monitoring and management systems, network components, and one or more 
combinations thereof. 

However, Lim discloses that the enterprise devices are selected from the 
group consisting of a server, a firewall, a modem, a work station, a router, a remote 
machine, an intrusion detection system etc [Fig. 1 component 12, alert form 
IDS/firewall, etc]. 

Therefore, it would have been obvious to a person of ordinary skill in the art 
at the time the invention was made to incorporate the teaching of Lim into the teaching 
of Houston and Blakely-Fogel to use event manager for monitoring the events 
generated from IDS, firewall etc. The modification would be obvious because one of 
ordinary skill in the art would be motivated to provide better security protection [Lim, 
paragraph 0003], 



Application/Control Number: 10/080,574 Page 10 

Art Unit: 2135 

As per claim 9 , the rejection of claim 1 is incorporated and Houston and 
Blakely-Fogel don't clearly teach the output is one of an unauthorized login, an 
unauthorized physical entry, and an attempt to bypass a firewall. 

However, Lim discloses that the output (i.e. triggers) is one of an 
unauthorized login, an unauthorized physical entry, and an attempt to bypass a firewall 
[paragraph 0034, lines 1-3, 7-20 "the triggers are in the form of an intrusion 
detection system, a firewall program, antivirus software, an application software 
and/or operating systems logs a firewall protecting a corporate network that 
suffers an Internet Control Message Protocol (ICMP) flood and registers a list of 
violations will trigger an alarm. An intrusion detection system that detects a 
string of commands targeted at a corporate mail server for the purpose of 
exploiting administrator access will trigger an alarm"]. 

Therefore, it would have been obvious to a person of ordinary skill in the 
art at the time the invention was made to incorporate the teaching of Lim into the 
teaching of Houston and Blakely-Fogel to use event manager for monitoring the 
triggers. The modification would be obvious because one of ordinary skill in the art 
would be motivated to provide better security protection [Lim, paragraph 0003]. 

As per claim 16 , the rejection of claim 15 is incorporated and further claim 
16 is a system claim corresponds to a method claim 4 and is rejected for the same 
reason set forth in the rejection of claim 4 above. 
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Allowable Subject Matter 

6. Claims 5, 10, 11,12 and 22 objected to as being dependent upon a rejected base 
claim, but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 

Conclusion 

7. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Pohlmann et al (US Patent No. 6,366,926) discloses a method for routing 
a subscription request defined by an event filter. The method includes parsing the 
event filter into an evaluation tree having at least one subexpression, locating the at 
least one subexpression and determining if the at least one subexpression includes a 
node specific field. 

Farley et al (US Pub. No 2002/0078381) discloses a security 
management system includes a fusion engine which "fuses" or assembles information 
from multiple data sources and analyzes this information in order to detect relationships 
between raw events that may indicate malicious behavior and to provide an organized 
presentation of information to consoles without slowing down the processing performed 
by the data sources. 

Orchier et al (US Patent No. 6,070,244) discloses a method and system 
for controlling computer security. The system is a centralized, computer-network 
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security management tool capable of handling many different kinds of equipment in a 
standardized format despite differences in the computer security features among the 
diverse range of computer equipment in the computer network. 

Porras et al (US 6,704,874) discloses a method of managing alerts in a 
network including receiving alerts from network sensors, consolidating the alerts that 
are indicative of a common incident and generating output reflecting the consolidated 
alerts. 

Diep et al (US 6,671,811) discloses that Detecting harmful or illegal 
intrusions into a computer network or into restricted portions of a computer network 
uses a features generator or builder to generate a feature reflecting changes in user 
and user group behavior over time. 

Bowman-Amuah (US 6,324,647) discloses a system, method, and article 
of manufacture are provided for providing security management in a development 
architecture framework. 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Nirav Patel whose telephone number is 571-272- 
5936. The examiner can normally be reached on 8 am - 4:30 pm (M-F). 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on 571-272-3859. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. Information regarding the status of an application may be obtained from the 
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Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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